Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\ad494b52c404889b3d083dab5dcef.lnk
- %APPDATA%\microsoft\ezba\axhundhoivqsjzwmliceksvtndwjkpxupmzfaqrgebtbyrycfolg
- %APPDATA%\solarmarker.dat
- '45.##6.165.219':80
- http://45.##6.165.219/
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ep bypass -command "iex(get-content '%TEMP%\RG18LK2RUWVE1IHKS0QA4NMY.ps1')"' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ep bypass -command "iex(get-content '%TEMP%\RG18LK2RUWVE1IHKS0QA4NMY.ps1')"